Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.
Próximo SlideShare
What to Upload to SlideShare
Siguiente

6

Compartir

Hacking WebApps for fun and profit : how to approach a target?

Above are my slides I used during a workshop I conducted at the Moroccan Cyber Security Camp back in May 2017.

Hacking WebApps for fun and profit : how to approach a target?

  1. 1. Hacking WebApps for fun and profit : how to approach a target? Yassine ABOUKIR
  2. 2. What not to expect? • This session is not about penetration testing. • This session will not cover all web vulnerabilities. • This session will not cover basic technical knowledge.
  3. 3. What to expect? • An introduction to bug bounty industry • How to start your journey in bug hunting. • How to conduct web vulnerabilities assessment (Black- box approach) • Introduction to some essential hacking tools. • How to bypass a few common vulnerabilities protection. • How to write a kick-ass security report.
  4. 4. Presentation • Security Analyst at HackerOne Inc. • Author at InfoSec Magazine. • Occasional bug bounty hunter (Listed in Microsoft, Yahoo, Facebook, Google, Twitter etc Hall of fame) – Ranked 11th on HackerOne. • Student at ISCAE (MSc in Corporate Finance) - Casablanca • Double Degree at IESEG School Of Management (MSc in Management of Information Systems) - Lille, France
  5. 5. Quick Questions • How many of you have basic technical background (HTTP, TCP/IP, Web technologies etc.)? • How many of you know about OWASP TOP10? • How many of you participated in a Bug Bounty Program?
  6. 6. Bug Bounty Industry Facebook offers a minimum of $500 US and paid out over $4.3 million to researchers around the globe. Microsoft offers a minimum of $500 US and paid out over $500K
  7. 7. Perks of being a bug bounty hunter  Hacking legally.  Have fun.  Earn money.  Sharpen your skills.  Build your CV.  Expand your network.  Make the world more secure.
  8. 8. Bug Bounty Platforms
  9. 9. Vulnerabilities Assessment VS Pentesting • Vulnerability assessment is more about identifying and prioritizing security vulnerabilities. • Penetration testing (Pentesting) is designed to achieve a specific, attacker-simulated goal (Access private network, database etc.)
  10. 10. Hacking Methodology
  11. 11. Planning It is extremely important to read the program brief thouroughly before starting. • Domains and IPs In-Scope. • In-Scope Vulnerabilities. • Out Of Scope Vulnerabilities. • Other Useful Information. Eg: Twitter bug bounty program (https://hackerone.com/twitter)
  12. 12. Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire. Functionalities: • Web Proxy • Web Crawler • Reapeter • Intruder • Web Scanner • Comparer • Extender
  13. 13. Reconnaissance • Understand web application logic. • Map the used stack (Tool: Wappalyzer Addon) • Spidering the application (Tool: Burpsuite) • Check Robots.txt file. • Google Hacking. • Bruteforcing Directories (Tool: DirBuster)
  14. 14. DNS Recon Check the server’s DNS records using DNSRecon. Interesting things to look for : • DNS Zone transfer (Nslookup –query=axfr example.com) • SPF records (Spoofing Demo : https://emkei.cz/) • MX records (Uber $10,000 US bug to Uranium238) • DNSSEC configuration • Etc.
  15. 15. Port Scanning Use Nmap to look for open ports in a web server and corresponding services. • 25 for SMTP • 22 for SSH • 23 Telnet • 21 for FTP • 115 for SFTP • 110 for POPs • 443 HTTPS • 80 HTTP Sudo apt-get install nmap
  16. 16. SSL/TLS Web applications use TLS to secure all communications between their servers and web browsers.  Heartbleed  Drown attack  Poodle attack  Use of weak ciphers (RC4)  Expired TLS certificate  Insecure Client-Initiated Renegotiation (Should be disabled)  Etc.
  17. 17. SSL/TLS Demo: https://www.ssllabs.com/ssltest/analyze.html?d=twitter.com
  18. 18. Subdomains Bruteforcing  Check for subdomains with private instances. stage.example.com, dev.example.Com, testing.example.com, vpn.example.com  Check for potential subdomains takeover. Support.example.com, help.example.com, forums.example.com Tool : Sublist3r
  19. 19. Subdomains Bruteforcing
  20. 20. Subdomains Bruteforcing W0rm$ host blog.redbooth.com Non-authoritative answer: og.redbooth.com is an alias for teambox-redirect-to-new-blog.herokuapp.com.
  21. 21. Demonstration Subdomain takeover (http://help.yassineaboukir.com)
  22. 22. Github Leakage Hard coding credentials and pushing the code to GitHub is a common mistake. Look for :  AWS Keys (AWS_SECRET_ACCESS_KEY)  Passwords  Slack tokens (xoxs-token)  Private API Keys  SSH Keys (id_rsa, ---BEGIN RSA PRIVATE KEY---)  Etc.
  23. 23. Cross-Site Scripting (XSS) XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Types:  Reflected XSS  Stored XSS  DOM-Based XSS  Cookie-based XSS  Flash-based XSS
  24. 24. Cross-Site Scripting (XSS) Exploitation : • Execution of malicious Javascript • Execute Client-Side Exploits • Bypass CSRF protection • Temporary defacements and other nuisances
  25. 25. Cross-Site Scripting (XSS) • Reflected XSS Demonstration. • Stored XSS Demonstration. • Exploitation of Stored XSS : Hijacking Session Cookie.
  26. 26. Cross-Site Scripting (XSS) Testing for XSS: • '';!--"<img>=&{()} • <img/src=x onerror=alert(0)> • <svg/onload=alert(0)> • <SCRIPT/SRC=//⒕₨?
  27. 27. Cross-Site Scripting (XSS) Techniques to bypassing XSS filters: • Use polyglot payload : <input type="text" value=" jaVasCript:/*-/*`/*`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/-- !>x3csVg/<sVg/oNloAd=alert()//>x3e "></input> • XSS in Link inputs: javascript://www.google.com/%0Aalert(1337);//http:// • Bypasses list : https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet • Polyglot payloads : https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot
  28. 28. Cross-Site Request Forgery
  29. 29. Cross-Site Request Forgery
  30. 30. Cross-Site Request Forgery
  31. 31. Cross-Site Request Forgery
  32. 32. Cross-Site Request Forgery Protection bypass techniques : • Remove token parameter. • Leave token value blank. • Alter token value but keep same length. • Try another user token. • Check if token is regenerated upon logout/login. • Analyze token complexity.
  33. 33. Clickjacking Attack Clickjacking, also known as a "UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page.
  34. 34. Clickjacking Attack X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN X-Frame-Options: ALLOW-FROM https://example.com/
  35. 35. Clickjacking Attack
  36. 36. SQL Injection A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data - OWASP
  37. 37. SQL Injection Types of SQLi  Error-based SQLi  Blind SQLi  Boolean-based (content-based) Blind SQLi  Time-based SQLi
  38. 38. SQL Injection Damn Vulnerable Web Application www.dvwa.co.uk Demonstration
  39. 39. -u : Specify the vulnerable target -d : Vulnerable parameter (Injection point) --Cookie: Cookies --data : Parameters in case of a POST request --dbs : List all databases --tables : List all tables or tables of a specific database --columns : List all columns, or columns of a specific table in a DB. --dump : Extract information from the database.
  40. 40. SQL Injection Testing for SQLi :  Single Quote : ‘  Boolean expression : 1' or '1' = '1 ' or 1=1 /*  Time expressions : 1' AND (SELECT * FROM (SELECT(SLEEP(5)))x) AND '1'='1 ‘ and sleep(10)/* BENCHMARK(10000000,SHA1(1)) ';waitfor delay '0:0:10'--
  41. 41. Insecure Direct Object References Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files. (User A) https://www.mybank.com/balance.php?account_id=123 (User B) https://www.mybank.com/balance.php?account_id=124
  42. 42. Insecure Direct Object References POST Request: https://hackerone.com/reports/136114
  43. 43. Open Redirects Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. https://mail.google.com/?redirect=http://mail.gooogle.com/
  44. 44. Open Redirects Bypass methods: • http://www.example.com/login?redirect=//evil.Com • http://www.example.com/login?redirect=evil.Com • http://www.example.com/login?redirect=@evil.Com • http://www.example.com/login?redirect=//evil.Com • http://www.example.com/login?redirect=http://evil.com • http://www.example.com/login?redirect=http:google.com • http://www.example.com/login?redirect=http:///@evil.com//
  45. 45. Broken Authentication and Session Management • Insecure login forms (Use of GET method for example) • Login form prone to bruteforcing (Lack of captcha, account lock-out, rate- limit) • Session Cookie not invalidated upon Logout/Password Change or Reset. • Improper Browser Caching (Autocomplete ON, Lack of caching directives in HTTP requests) • Valid Accounts Enumeration (Invalid username: e-mail address is not valid or the specified user was not found.) • Session Fixation (PHPSESSID=5a3ecbee2d4e29eacf783d142f9ebf95) • Weak session complexity
  46. 46. Report Redaction • Executive Summary • Vulnerability Description • Affected URL/Parameters • Risk assessment • Steps Of Reproduction • Proof Of Concept • Recommended fix • References
  47. 47. Resources Useful links: • http://hackerone.com/hacktivity • https://github.com/ngalongc/bug-bounty-reference/blob/master/README.md
  48. 48. Let’s stay in touch E-mail : Hello@yassineaboukir.com Twitter : @Yassineaboukir LinkedIn : /in/yaboukir Blog : http://www.yassineaboukir.com/blog/
  • AmanSolanki33

    May. 14, 2021
  • SurendiranS1

    May. 19, 2019
  • NamishChaturvedi

    Nov. 21, 2017
  • SleepyEinstein

    Nov. 21, 2017
  • AbdessamadTEMMAR

    Nov. 20, 2017
  • GhssisseAimad

    Nov. 20, 2017

Above are my slides I used during a workshop I conducted at the Moroccan Cyber Security Camp back in May 2017.

Vistas

Total de vistas

3.006

En Slideshare

0

De embebidos

0

Número de embebidos

174

Acciones

Descargas

0

Compartidos

0

Comentarios

0

Me gusta

6

×